Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
December 14, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 226
Members: 1
Total: 227

Online Now:
01: kolaz - Homepage
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> 2 new Vulnerabilities 2.0.17 Goto page 1, 2  Next
Post new topic  Reply to topic View previous topic :: View next topic 
2 new Vulnerabilities 2.0.17
PostPosted: Mon Oct 31, 2005 8:53 pm Reply with quote
WaterBird
Active user
Active user
 
Joined: May 16, 2005
Posts: 37




PHPBB Multiple Unspecified Vulnerabilities
2005-10-31
http://www.securityfocus.com/bid/15246

PHPBB Global Variable Deregistration Bypass Vulnerabilities
2005-10-31
http://www.securityfocus.com/bid/15243
View user's profile Send private message
PostPosted: Mon Oct 31, 2005 11:21 pm Reply with quote
chapinhack
Beginner
Beginner
 
Joined: Nov 01, 2005
Posts: 1




how to operate this bug? some examples?
View user's profile Send private message MSN Messenger
PostPosted: Tue Nov 01, 2005 1:00 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Read it properly chapinhack


Quote:
phpBB is prone to multiple unspecified vulnerabilities. Some of these issues result from insufficient sanitization of user-supplied data, however, the causes and impacts of other issues were not specified.

phpBB 2.0.17 and prior versions are affected by these issues.

Due to a lack of information, further details cannot be provided at the moment. It is possible that some of these issues were reported prior to the release of this record. This BID will be updated when more information becomes available.
Wink

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Tue Nov 01, 2005 6:34 am Reply with quote
g30rg3_x
Active user
Active user
 
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




i think most of this "fixes" just make for improvemmed...

as now i just see some and they are just for performarce, i didn't see at all because it is a large list...

but if i found one, i would make a full description...

grettings from mexico


Last edited by g30rg3_x on Tue Nov 01, 2005 3:45 pm; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Tue Nov 01, 2005 7:03 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Not just that but there was a way to by pass the register globals disabling in the phpBB script.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Tue Nov 01, 2005 3:43 pm Reply with quote
g30rg3_x
Active user
Active user
 
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




yeah but is still hard for bypass register_globals

but we can make a just little code for PoC...

grettings shai-tan
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Tue Nov 01, 2005 4:49 pm Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Not as hard as you might think.

Quote:
Bypass Vulnerabilities

----------------------



[1] In PHP5 <= 5.0.5 it is possible to register f.e. the global

variable $foobar by supplying a GET/POST/COOKIE variable

with the name 'foobar' but also by supplying a GPC variable

called 'GLOBALS[foobar]'. If the variable is supplied in

that way, the code above will not try to unset $foobar, but

$GLOBALS, which completely bypasses the protection.



[2] When the session extension is not started by a call to

session_start(), PHP does not know about the variables

$_SESSION or $HTTP_SESSION_VARS, which means, it is possible

to fill them with any value if register_globals is turned on.

Combined with the fact (that was even documented in the phpBB

code), that array_merge() will fail in PHP5, when at least

one of the parameters is not an array, it is possible for an

attacker to simply set HTTP_SESSION_VARS to a string and let

the complete protection fail, because $input ends up empty.



[3] When register_long_array is turned off PHP does not know

anymore about all the HTTP_* variables. This means they can

be filled with anything that is completely unrelated to the

existing global variables. It is obvious that the protection

cannot work, when this configuration is choosen.



Additonally to the 3 possible ways to bypass the globals

deregistration code, several not properly initalised variables

were disclosed to the vendor, that can even lead to remote code

execution.


And once you have done so this is the options you can look at.

Quote:

Not properly initialised variables

----------------------------------



[1] Within usercp_register.php the variable 'error_msg' is not

properly initialised and can therefore be used to inject

arbitrary HTML code



[2] Within login.php the variable 'forward_page' is not properly

initialised and can be used to inject arbitrary HTML code



[3] Within search.php the variable 'list_cat' is not properly

initialised and can be used to inject arbitrary HTML



[4] Within usercp_register.php the variable 'signature_bbcode_uid'

is not properly initialised and can be used for SQL injection

of arbitrary 'field=xxx' statements into queries operating

on the user table, when magic_quotes_gpc is turned off.



[5] The same variable [4] can be used to inject f.e. the 'e'

modifier into the first parameter of a preg_replace()

statement, which means, that the second parameter is

evaluated as PHP code. Because the second parameter is

entirely filled with the user supplied signature, it is

possible to execute any PHP code. This can be exploited,

no matter if magic_quotes_gpc is turned on or off, just

2 different code paths need to be triggered.


Glad to see you again g30rg3_x.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Tue Nov 01, 2005 7:49 pm Reply with quote
Tomanas
Active user
Active user
 
Joined: Jan 30, 2005
Posts: 29




ok, i read whole document and i still don't know how to exploit that bug Wink
View user's profile Send private message
PostPosted: Wed Nov 02, 2005 1:15 am Reply with quote
g30rg3_x
Active user
Active user
 
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




Shocked

Thank you shai-tan...
with this i think i can make a little PoC

grettings


Last edited by g30rg3_x on Thu Nov 03, 2005 2:50 pm; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Wed Nov 02, 2005 2:17 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




http://www.hardened-php.net/advisory_172005.75.html



No problem.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Wed Nov 02, 2005 10:44 pm Reply with quote
WaterBird
Active user
Active user
 
Joined: May 16, 2005
Posts: 37




as always waiting for an exploit Wink
View user's profile Send private message
PostPosted: Thu Nov 03, 2005 12:48 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Best and most satisfying is learning how to make them your-self. And then making them Razz


Shai-tan

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Thu Nov 03, 2005 2:48 am Reply with quote
WaterBird
Active user
Active user
 
Joined: May 16, 2005
Posts: 37




shai-tan wrote:
Best and most satisfying is learning how to make them your-self. And then making them Razz


Shai-tan



Don't have mutch time to do that Razz Work etc :} Maybe some day :]
View user's profile Send private message
PostPosted: Thu Nov 03, 2005 3:07 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




lolz it seems time is everones reason! lolz

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Thu Nov 03, 2005 2:49 pm Reply with quote
g30rg3_x
Active user
Active user
 
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




like everybody i dont have really much time...

but i'm researching for exploit or well know in IT Security as Proof-Of-Concept, obviously i dont have enought time to do that rapidly...
so, like shai-tan says its very satisfying learning how to make by your-seld, than just wait for a new exploit/PoC and just used for be just another "deface kiddie or script kiddie"...

grettings from mexico shai-tan && waterbird
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
2 new Vulnerabilities 2.0.17
  www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  
Goto page 1, 2  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Film DVD comments and reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.093 Seconds